Bebop: A Symbolic Model Checker for Boolean Programs

1
Bebop A Symbolic Model Checker for Boolean
Programs

• Thomas Ball
• Sriram K. Rajamani

http//research.microsoft.com/slam/
2
Outline

• Boolean Programs and Bebop
• What?
• Why?
• Results
• Demo
• Semantics of Boolean Programs
• Technical details of algorithm
• Evaluation
• Related Work

3
Boolean Programs What

• Model for representing abstractions of imperative
  programs in C, C, Java, etc.
• Features
• Boolean variables
• Control-flow sequencing, conditionals, looping,
  GOTOs
• Procedures
• Call-by-value parameter passing
• recursion
• Control non-determinism

4
Boolean programs Why

• bool x,y
• 1 while (true)
• 2 if(x y)
• 3 y !x
• else
• 4 x !x
• 5 y !y
• 6 if (?) break
• 7 if(x y)
• 8 assert (false)

• Representation of program abstractions, a la
  Cousots
• Each boolean variable represents a predicate
• (i lt j)
• (pi) ( (int) p j)
• (p ? T), where T is recursive data type
• Graf-Saidi

5
Bebop - Results

• Reachability in boolean programs reduced to
  context-free language reachability
• Symbolic interprocedural dataflow analysis
• Adaptation of Reps-Horwitz-Sagiv, POPL95
  algorithm
• Complexity of algorithm is O(E ? 2n)
• E size of interprocedural control flow graph
• n max. number of variables in the scope of any
  label

6
Bebop - Results

• Admits control flow variables
• Existing pushdown model checkers dont use
  variables (encode variable values explicitly in
  state) Esparaza, et al.
• Analyzes procedures separately
• exploits procedural abstraction locality of
  variable scopes
• Uses hybrid representation
• Explicit representation of control flow graph, as
  in a compiler
• Implicit representation of reachable states via
  BDDs
• Generates hierarchical trace

7
Bebop Demo!
8
Outline

• Boolean Programs and Bebop
• Semantics of Boolean Programs
• stackless semantics using context-free grammar
• Technical details of algorithm
• Evaluation
• Related Work

9
Stackless Semantics

• State ? ltp,?gt
• p program counter
• ? valuation to variables in scope at p
• No stack!
• ?(B) finite alphabet over boolean program B
• ltcall,p,?gt
• Call (with return to p), ? a valuation to
  Locals(p)
• ltret,p,?gt
• Return to p, ? a valuation to Locals(p)

10
State transition ltp,?gt -?-gt ltp,?gt
?(x) ?(x), x in Locals(c)
?(g) ?(g), g a global
11
Trace Semantics

• Context-free grammar L(B) constrains allowable
  traces
• M -gt ltcall,q,?gt M ltret,q,?gt
• M -gt M M
• M -gt ?
• ?0 -?1-gt ?1 -?2-gt ?m-1 -?m-gt ?m is a
  trajectory of B iff
• ?i -?i1-gt ?i1 is a state transition, for all i
• ?1 ?2 ?m ? L(B)

12
Outline

• Boolean Programs and Bebop
• Semantics of Boolean Programs
• Technical details of reachability algorithm
• Binary Decision Diagrams (BDDs)
• Path edges
• Summary edges
• Example
• Preliminary Evaluation
• SLAM Project

13
Binary Decision Diagrams

• Acyclic graph data structure for representing a
  boolean function (equivalently, a set of bit
  vectors)
• F(x,y,z) (xy)

14
Hash Consing Variable Elimination
15
Path Edges

• lt?e,?pgt ? PE(p), iff
• Exists initialized trajectory ending in lte,?egt,
  where e entry(Proc(p))
• Exists trajectory from lte,?egt to ltp,?pgt
• PE(p) is a set of pairs of valuations to boolean
  variables in scope in Proc(p)
• Can be represented with a BDD!

16
Representing Path Edges with BDDs

• Example PE(p) for boolean variables x,y and z
• PE(p) F(x,y,z,x,y,z) (xx)(yy)(zxy)
  
• BDDs also used to represent transfer functions
  for statements
• Transfer(z xy) F(x,y,z,x,y,z)
  (xx)(yy)(zxy)

17
decl g void main() begin decl h h !g
A(g,h) skip A(g,h) skip if (g)
then R skip fi end
Join(S,T) lt?1,?2gt lt?1,?Jgt?S,
lt?J,?2gt?T
void A(a1,a2) begin if (a1) then
A(a2,a1) skip else g a2 fi end
18
Summary Edges lt?1,?2gt Lift(lt?d,?rgt, Pr)
c Pr() d Proc Pr()
e r
lt?1,?2gt
lt?d,?rgt

• ?1(x) ?2(x), x in Locals(c)
• Locals dont change
• ?1(g) ?d(g) and ?r(g) ?2(g), g global
• Propagation of global state

19
decl g void main() begin decl h h !g
A(g,h) skip A(g,h) skip if (g)
then R skip fi end
void A(a1,a2) begin if (a1) then
A(a2,a1) skip else g a2 fi end
20
decl g void main() begin decl h h !g
A(g,h) skip A(g,h) skip if (g)
then R skip fi end
void A(a1,a2) begin if (a1) then
A(a2,a1) skip else g a2 fi end
21
decl g void main() begin decl h h !g
A(g,h) skip A(g,h) skip if (g)
then R skip fi end
void A(a1,a2) begin if (a1) then
A(a2,a1) skip else g a2 fi end
22
decl g void main() begin decl h h !g
A(g,h) skip A(g,h) skip if (g)
then R skip fi end
void A(a1,a2) begin if (a1) then
A(a2,a1) skip else g a2 fi end
23
Worklist Algorithm

• while PE(v) has changed, for some v
• Determine if any new path edges can be generated
• New path edge comes from
• Existing path edge transfer function
• Existing path edge summary edge (transfer
  function for procedure calls)
• New summary edges generated from path edges that
  reach exit vertex

24
Generating Error Traces

• Partition reachable states into rings
• A ring R at stmt S is numbered N iff there is a
  shortest trace of length N to S ending in a state
  in R
• Hierarchical generation of error trace
• Skip over or descend into called procedures

25
Outline

• Boolean Programs and Bebop
• Semantics of Boolean Programs
• Technical details of algorithm
• Preliminary Evaluation
• Linear behavior if vars in scope remains
  constant
• Self application of Bebop
• Related Work

26
void levelltigt() begin decl a,b,c if (g) then
while(!a!b!c) do if (!a) then a
1 elsif (!b) then a,b 0,1
elsif (!c) then a,b,c 0,0,1 else
skip fi od else ltstmtgt
ltstmtgt fi g !g end
decl g void main() begin level1() level1()
if(!g) then reach skip else skip fi end
27
(No Transcript)
28
Application Analysis Validation

• Live variable analysis (LVA)
• A variable x is live at s if there is a path from
  s to a use of x (with no intervening def of x)
• Used to optimize bebop
• Quantify out variables as soon as they become
  dead
• How to check correctness of LVA?
• Analysis validation
• Create a boolean program to check results of LVA
• Model check boolean program (w/out LVA)

29
Analysis Validation

• Output of LVA (s,x) x is dead at s
• Boolean program
• Two variables per original program var x
• x_dead (initially 0)
• x_defined (initially 0)
• For each fact (s,x)
• x_dead, x_defined 1, 0
• For each def of x
• x_defined 1
• For each use of x
• if (x_dead !x_defined) LVAError()
• Query is LVAError reachable?

30
Results

• Found subtle error in implementation of LVA
• Was able to show colleague that there was another
  error, in his code
• Analysis validation now part of regression test
  suite

31
Related Work

• Pushdown Automata (PDA) decidability results
• Hopcroft-Ullman
• Model checking PDAs
• Bouajjani-Esparza-Maler Esparza-Hansel-Rossmani
  th-Schwoon
• Model checking Hierarchical State Machines
• Alur, Grosu
• Interprocedural dataflow analysis
• Sharir-Pnueli Steffen Knoop-Steffen
  Reps-Horwitz-Sagiv

32
Related Work

• Reps-Horwitz-Sagiv (RHS) algorithm
• Handles IFDS problems
• Interprocedural
• Finite domain D
• Distributive dataflow functions (MOPMFP)
• Subsets of D
• Dataflow as CFL reachability over exploded
  graph
• Our results
• RHS algorithm can be reformulated as a
  traditional dataflow algorithm over original
  control-flow graph with same time/space
  complexity
• Reformulated algorithm is easily lifted to
  powersets of D using BDDs
• Arbitrary dataflow functions
• Path-sensitive

33
Summary

• Bebop a model checker for boolean programs
• Based on interprocedural dataflow analysis using
  BDDs
• Exploits procedural abstraction
• Admits many traditional compiler optimizations
• Hierarchical trace generation DHTML user
  interface
• Release at end of year
• SLAM project
• Iteratively refine boolean program models of C
  programs
• Use path simulation to discover relevant
  predicates (simcl)
• Automated predicate abstraction (c2bp)

34

• Software Productivity Tools
• Microsoft Research
• http//research.microsoft.com/slam/